<div dir="ltr"><div>Updated patch including make.sh.</div><div><br></div><div>On Alpine to build install libretls-dev which should pull in the dependencies. For my embedded builds I manually build BearSSL and <a href="https://github.com/michaelforney/libtls-bearssl">https://github.com/michaelforney/libtls-bearssl</a> adding appropriate -L flags in LDFLAGS. I've also tested that it works with libtls+libressl. The existing wget toy is broken in a few ways in how it handles the HTTP protocol, as an example github wont work. I'll refactor how the toy handles headers to fix that in the near future.</div><div><br></div><div>Rob, do you still prefer email patches? I can also push these to github if you so desire but this patch is based on your local git so should cleanly apply.<br></div><div><br></div><div>- Eric<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Oct 17, 2021 at 8:48 PM Eric Molitor <<a href="mailto:emolitor@molitor.org">emolitor@molitor.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div>Let me take a look at signify I'll also send the missing part of the patch with -ltls shortly.</div><div dir="auto"><br></div><div dir="auto">Alpine has libtls, either the openssl port in the libretls package or the original openbsd lbressl-tls. For my embedded stuff I'm statically linking BearSSL and <a href="https://github.com/michaelforney/libtls-bearssl" target="_blank">https://github.com/michaelforney/libtls-bearssl</a></div><div dir="auto"><br></div><div dir="auto">I've not looked at Denny's implementation. But will take a peak at what he is doing.</div><div dir="auto"><br></div><div dir="auto">And yes, this violates the library policy, although I'd rather leverage a relatively known good TLS rather than implement a new one. This is definitely me scratching an itch that might not be worth integrating for everyone.</div><div dir="auto"><br></div><div dir="auto">- Eric</div><div dir="auto"><br><div class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr">On Sun, 17 Oct 2021, 8:04 pm Rob Landley, <<a href="mailto:rob@landley.net" target="_blank">rob@landley.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 10/17/21 8:44 AM, Eric Molitor wrote:<br>
> Attached is a relatively quick and certainly dirty patch to wget adding TLS<br>
> support via libtls.<br>
<br>
<a href="https://landley.net/toybox/design.html#:~:text=policy%20on%20shared%20libraries" rel="noreferrer noreferrer" target="_blank">https://landley.net/toybox/design.html#:~:text=policy%20on%20shared%20libraries</a><br>
<br>
> I threw this together on a plane but it's working reasonably<br>
> well for me allowing me to remove Curl/libcurl on a few projects. I will submit<br>
> further patches to clean up this toy as it's in pretty dire shape.<br>
<br>
Which of the libraries in make.sh contained the https stuff? You didn't add<br>
anything to:<br>
<br>
for i in util crypt m resolv rt selinux smack attr crypto z log iconv<br>
<br>
And yet it built for you? I haven't even got a tls.h in my /usr/include (except<br>
the linux/ one), presumably I need to install a -dev for that.<br>
<br>
> When statically building with bearssl and libtls-bearssl this adds about 175K<br>
> which isn't too bad for a TLS 1.1/1.2 implementation.<br>
<br>
According to make baseline/bloatcheck the one Denys Vlasenko implemented in<br>
busybox (CONFIG_FEATURE_WGET_HTTPS) is 22,564 bytes on x86-64. It's the<br>
networking/tls* code.<br>
<br>
> Building with libressl's<br>
> tls implementation expands this by about 400K but also gets you TLS 1.3 support.<br>
> By default only TLS 1.1 and 1.2 are enabled. I'll add another configuration<br>
> option to enable TLS 1.3.<br>
> <br>
> Feedback greatly appreciated.<br>
<br>
I haven't looked at Denys' implementation closely to see what he's done. I<br>
downloaded BearSSL, matrixssl, and Rich Felker pointed me at a library called<br>
signify (<a href="https://github.com/aperezdc/signify" rel="noreferrer noreferrer" target="_blank">https://github.com/aperezdc/signify</a>) for when I get around to this todo<br>
item, but I'm really trying to get through the shell first.<br>
<br>
> - Eric<br>
<br>
Rob<br>
</blockquote></div></div></div>
</blockquote></div>